7 Jan
2018
7 Jan
'18
1:10 p.m.
Hi Tom,
Some tome ago I was fiddling with pfSense to make it my gateway. I
abandoned this idea because there was a couple of key issues for me:
- BSD needs a device for each IPIP tunnel, this gets the things much
more harder to setup;
- PfSense does not have the protocols used enabled by default, needing
manual edit of the web interface after each update. You have to do it by
yourself every time;
- Linux has ready made scripts to get the job done. These scripts were
made by good hams here and tested by several other people. It is easier
to create a small virtual machine and put a 256MB RAM Devuan working
than creating a gateway using BSD.
- PfSense team is minded to get the commercial way of pfSense as a
product, so do not expect any support to get the things working. Their
support forum is getting more unconcerned every day.
If you are still inclined to use some type of BSD firewall as an AMPRNet
gateway, I suggest using OPNSense to start. It was a project forked from
pfSense, but today have only 10% of original code and have open source
as priority yet. Their forum is much more friendly and responsive.
OPNSense has all protocols listed in the web interface, so passing IPIP
traffic back and forth is more intuitive (I still would not use it as a
gateway anyway).
Hope this helps,
73 de PT2LDR
Luzemario
www.luzehost.com.br
Em 06-01-2018 18:00, 44net-request(a)mailman.ampr.org escreveu:
Greetings,
I was working with Dan Cooper last spring to turn my pfSense box into
an ampr gateway. At the time I was trying to learn how IPIP worked AND
how BSD (pfSense) worked. I'm pretty well versed in linux... BSD...
not so much.
At the time I moved to Linux and Lynwood helped me get my head around
how the IPIP tunneling works. After seeing the volume of traffic that
tries to crack into my residential ISP connection (even though it
fails) I've decided to put my ampr gateway into a DMZ. I'm currently
in the process of moving my AMPR gateway into a pfSense DMZ.
I work in a loosely security related position at work and I'm doing
this as a security measure to knock down some of the noise my Linux
gateway/Router/Firewall/AMPRgateway was seeing, mostly from Russia,
China and other places that I didn't research. My new AMPR gateway
will still be on Linux, actually Raspbian on a Raspberry Pi, but the
only traffic it'll ever see is encapsulated traffic and traffic from
my network because all of the other noise will be filtered by the
pfSense box and won't exist in my DMZ.
Out of the box the pfSense user interface doesn't have support for
ipencap or AX25. I did a little bit of research (google) and found an
older post on the pfsense forum about which files to edit to add
ipencap and ax25 to the UI. Also, I just asked on the pfSense
subreddit to see if there are any other places within the pfSense UI
to edit which protocols are available for use.
Is anyone else using this method to NAT forward IPIP traffic to an
internal gateway (in my case using pfSense). I'm looking to find out
if I've missed anything with the port forwarding before I move
forward. I know Brian (N1URO) was working with IPIP tunneling behind a
NAT and I think (THINK) this might work.
So... here's what I've done.
pfSense version is 2.4.2p1. File edits follow...
In file:
/usr/local/www/firewall_nat_edit.php
On line 708, change:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF";
To:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF
IPENCAP AX25";
In file:
/usr/local/www/firewall_nat_out_edit.php
On line 510, change:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync";
To:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp
pfsync IPENCAP AX25";
In file:
/usr/local/www/firewall_rules_edit.php
Insert as line 1315 and 1316:
'ipencap' => 'IPENCAP',
'ax25' => 'AX25',
--
Tom / n2xu / MSgt USAF (Ret) / BSCS, CASP
8 Jan
8 Jan
12:32 a.m.
New subject: Changes afoot on my gateway (Tom Cardinal)
I'm using pfSense in it's default use except I'm nat forwarding the ipencap
to another machine in my DMZ which will act as my gateway. I don't know if
it'll work but I am seeing traffic at my AMPR gateway so I think I might be
onto something positive. I will fully document if I get it working.
--tom
On Sun, Jan 7, 2018 at 7:13 AM Luzemário Dantas <luzemario(a)luzemario.net.br>
wrote:
Hi Tom,
Some tome ago I was fiddling with pfSense to make it my gateway. I
abandoned this idea because there was a couple of key issues for me:
- BSD needs a device for each IPIP tunnel, this gets the things much
more harder to setup;
- PfSense does not have the protocols used enabled by default, needing
manual edit of the web interface after each update. You have to do it by
yourself every time;
- Linux has ready made scripts to get the job done. These scripts were
made by good hams here and tested by several other people. It is easier
to create a small virtual machine and put a 256MB RAM Devuan working
than creating a gateway using BSD.
- PfSense team is minded to get the commercial way of pfSense as a
product, so do not expect any support to get the things working. Their
support forum is getting more unconcerned every day.
If you are still inclined to use some type of BSD firewall as an AMPRNet
gateway, I suggest using OPNSense to start. It was a project forked from
pfSense, but today have only 10% of original code and have open source
as priority yet. Their forum is much more friendly and responsive.
OPNSense has all protocols listed in the web interface, so passing IPIP
traffic back and forth is more intuitive (I still would not use it as a
gateway anyway).
Hope this helps,
73 de PT2LDR
Luzemario
www.luzehost.com.br
--
73 de N2XU/Tom Cardinal/MSgt USAF (Ret)/BSCS/Security+/IPv6 Certified
2302
days inactive
2303
days old
1 comments
2 participants
participants (2)
-
Luzemário Dantas -
Tom C